Everything about the email looked legitimate.
The name and title of the recipient, a member of the armed forces, was correct. So was the context, about a collaborative proposal by a fellow military employee. And after sending the user to a malicious copy of the website, they were even forwarded to the real site.
But it was completely bogus, designed to entrap the user by encouraging them to download malware that would go on to infect his company’s entire IT network. “This is a real attack that we saw,” says Cyril Voisin, an executive security adviser for the Enterprise Cybersecurity Group in France, the Middle East and Africa at Microsoft. “We had the authorisation from the victim to publish it to say this is what it looks like.”
Microsoft experts analysed this common problem during the Cybersecurity and Threat Protection event it hosted in Dubai last week, where chief security officers from three UAE companies, including Emirates Group and National Bank of Abu Dhabi (NBAD, which rebranded this week as First Abu Dhabi Bank), revealed the online threats their companies face and the strategies they use to defeat them.
“Email is the predominant source for these malware attacks,” says Ana Serrano, a product marketing manager for Office 365 at Microsoft Gulf. “Why? First of all, it is a very accessible entry point. Using email, the attack can take many different forms. So the attackers are being very creative with it. Finally, it can be very targeted for the user so it arouses zero suspicion for the person who receives the email.”
In the UAE, 3.2 per cent of the machines Microsoft inspected were found to be infected by viruses, according to an average of the past four Microsoft Security Intelligence Reports. This is about triple the worldwide average of 1 per cent.
“We have a challenge, because we are a very sophisticated country. We are 10 years ahead in so many aspects, but on this we still have some work to do because we have more infections than the rest of the world,” says Mr Voisin.
But companies are now fighting back. Sandro Bucchianeri, the head of cybersecurity, transformation and strategy at NBAD, who took part in the Microsoft event’s panel discussion, says two or three years ago he could not approach the board for a budget to tackle security. That has now changed.
“Now when I go and say we need money for this initiative or that initiative we get that support,” says Mr Bucchianeri.
He says the bank has moved away from traditional methods of educating its employees about cybersecurity risks – such as using a 30-minute slide show – because it is not effective.
“We try to make it more interactive,” he says. “We send them nasty emails for real-world experience, which is testing their ability. When we address security we bring it back down, so ‘how do you secure your Wi-Fi? What should you be looking for to secure your Facebook?’ We try to bring examples to our staff and by doing that we increase their awareness level.”
His fellow panellist Thomas Heuckeroth, the vice president for cybersecurity and infrastructure management at Emirates Group, agrees that recurring 30-minute training sessions do not work. Instead, he says it is important to make the education role-specific.
“It is important that you speak differently to a finance manager than you speak to someone who is sitting in a day-to-day operational job because to them it is completely different,” he says, adding that because most people have a Facebook account, they highlight cyber-attack stories from the media to their staff.
“Everyone has read them, [so we say] what can you do to protect yourself? That’s how we typically make it tangible,” says Mr Heuckeroth.
Saqib Chaudhry, the chief information security officer at the Cleveland Clinic, says the hospital’s comprehensive security programme uses methods such as games to teach its employees about potential threats.
“We also use infographics to catch attention,” he says. “To get the curiosity out there, we say ‘you don’t have to ask questions about securing devices at work, but what are your personal concerns about your computers at home, about how to protect your kids from social media?’”
Mr Chaudhry says the hospital is also looking into a rewards programme for employees who report a phishing email or another security control lapse.
But chief security officers still have work to do. The event heard that it takes on average 146 days globally to detect and deal with an attack. This was from the 2015 Mandiant M-Trends Emea report, released last June. In Europe, the Middle East and Africa, the “dwell time” is even higher at 469 days.
“My ideal world is within 15 to 20 minutes,” says Mr Bucchianeri. “I need to know who is on my network and get them off it as soon as possible. I am under no illusion that my network will be breached. When I go to the board and they ask me how secure we are, I say, ‘We are as secure as everyone in this room. If any one of you clicks on a phishing email it negates what we have been trying to do’.”
business@thenational.ae
Follow The National's Business section on Twitter
